Clothing Retailer H&M Told to Wear $41 Million GDPR Fine

Breach Notification
General Data Protection Regulation (GDPR)
Governance & Risk Management

Employee Surveillance Violations Trigger Germany’s Biggest Privacy Fine to Date

H&M store in Stockholm (Photo: Robert Lindholm, H&M)

Privacy regulators in Germany have slammed the world’s second-largest clothing retailer, H&M, with a €35.2 million ($41.4 million) fine for violating EU privacy laws.

See Also: Live Webinar | App Defined, Autonomous and Delivered from the Cloud

The fine, issued by the Hamburg Data Protection Authority – aka HmbBfDI – under the EU’s General Data Protection Regulation, represents the largest privacy fine to have ever been issued by a German regulator, and centers on illegal workplace surveillance at a service center in Nuremberg.

Stockholm-based Hennes & Mauritz AB – better known as H&M – operates 5,000 stores across 74 countries and employs 126,000 people.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg,” the company said in response to the German regulator’s decision, adding that it “will now review this decision carefully.”

The news of the fine in Germany comes as H&M has announced that over the next year, it plans to close 250 stores – or about 5% of its locations – due to the ongoing COVID-19 pandemic having driven more people to avoid stores in favor of online shopping.

The fine levied by the German regional data protection authority comes after a long-running investigation into employee-monitoring practices at H&M Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of the clothing giant at which several hundred people are employed.

Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information

“This case documents a serious disregard for employee data protection at the H&M site,” says Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information. “The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”

The HmbBfDI says that “since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives,” with notes being “permanently stored on a network drive.” Information included “welcome back talks” with employees, during which details of potential illnesses and symptoms were oftentimes recorded by managers, and shared with up to 50 other managers inside the company, the HmbBfDI says.

“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment,” the regulator says. “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

The processing of employee data came to light in October 2019, after a configuration error made the collected data accessible to everyone inside the service center for several hours.

Security Breach Triggers Investigation

H&M says it “immediately” reported the incident as a security breach to the regulator.

After receiving the security breach notification, Hamburg’s privacy regulator launched an investigation, and immediately ordered the company to freeze the database and provide it with a complete copy of the data, which ran to 60 GB of data.

“It is worth remembering that in addition to having the power to levy fines, data protection authorities have the power to do other things under GDPR Article 58, including the power to order a data controller or data processor to provide any information it requires, to obtain from a controller or processor access to all personal data ‘and to all information necessary for the performance of its tasks’ and the power to access premises and equipment,” says Jonathan Armstrong, a partner at London-based law firm Cordery.

GDPR’s article 58 (excerpted here) gives supervisory authorities broad investigative powers

The HmbBfDI says H&M fully assisted its investigation.

H&M has pledged to financially compensate all employees who have worked for the organization for at least one month since GDPR came into full effect in May 2018.

“This is an unprecedented acknowledgement of corporate responsibility following a data protection incident,” says the HmbBfDI.

The H&M Group says that when the inappropriate employee monitoring practices came to light last year, it immediately began instituting multiple changes, including “personnel changes at management level” at the service center, additional training for managers on data protection and labor law, revised HR policies, creating a new “data protection coordinator” role, revising data-retention and data-deletion processes, and investing in new technology to better protect data.

“H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority,” the company says in a statement. “The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.”

Pandemic: Employee Monitoring Caution

Although this incident occurred before the COVID-19 pandemic began, Cordery’s Armstrong says it’s unlikely the regulator would have viewed this situation any differently if it had begun after the outbreak.

Cordery’s Jonathan Armstrong

“In our view … it is unlikely that the DPA would have been more sympathetic to the collection of additional data without credible justification, even now,” Armstrong says. “More than 40 DPAs have issued specific guidance on the collection of extra data during the pandemic – including health data, data on holiday travel and domestic arrangements – and there’s a need for extra caution when processing data like that.”

Data protection practices are arguably more in the spotlight now than ever before, as the pandemic continues to have a wide-ranging economic impact, driving many organizations to lay off workers, and others to weigh new approaches to trying to gauge remote workers’ productivity.

“[We’re] seeing a significant rise in data protection requests and complaints, especially from employees who have been furloughed or let go and so the 2020 situation is likely to be even more challenging than the situation H&M faced in 2019,” Armstrong says.

He also cautions organizations to be careful with how they deploy employee monitoring tools – aka productivity tools or bossware – as more employees continue to work from home (see: Barclays Faces Employee Spying Probe).

“We know that these tools are under investigation in at least one case – involving Barclays Bank – and there is a special need for care when processing this type of data,” he says.

Source Article